From 47d0e4f4810476d129390a4515cfe436c5206f7a Mon Sep 17 00:00:00 2001 From: David Eads Date: Tue, 31 Jul 2018 14:20:47 -0400 Subject: [PATCH 1/3] avoid unnecessary admission plugin initializers --- .../admission/restrictusers/restrictusers.go | 24 +++--- .../restrictusers/restrictusers_test.go | 17 ++--- .../strategyrestrictions/admission.go | 21 ++++-- pkg/cmd/openshift-apiserver/server.go | 2 +- .../controller_manager.go | 2 +- pkg/cmd/server/admission/init.go | 58 +++------------ pkg/cmd/server/admission/types.go | 44 ----------- .../origin/admission/plugin_initializer.go | 74 ++++++------------- pkg/cmd/server/origin/authenticator.go | 2 +- pkg/cmd/server/origin/informers.go | 8 +- pkg/cmd/server/origin/master_config.go | 8 +- pkg/cmd/server/start/start_master.go | 2 +- .../admission/imagepolicy/imagepolicy.go | 14 +++- .../admission/imagepolicy/imagepolicy_test.go | 4 +- .../admission/requestlimit/admission.go | 14 +++- .../admission/requestlimit/admission_test.go | 4 +- .../clusterresourcequota/admission.go | 19 +++-- .../registry/route/etcd/etcd_test.go | 2 +- 18 files changed, 119 insertions(+), 200 deletions(-) diff --git a/pkg/authorization/apiserver/admission/restrictusers/restrictusers.go b/pkg/authorization/apiserver/admission/restrictusers/restrictusers.go index 8e51fb3698db..02de30c4c933 100644 --- a/pkg/authorization/apiserver/admission/restrictusers/restrictusers.go +++ b/pkg/authorization/apiserver/admission/restrictusers/restrictusers.go @@ -5,17 +5,18 @@ import ( "fmt" "io" + "k8s.io/client-go/rest" kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" "github.com/golang/glog" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" kerrors "k8s.io/apimachinery/pkg/util/errors" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apiserver/pkg/admission" "k8s.io/kubernetes/pkg/apis/rbac" kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" userapi "github.com/openshift/api/user/v1" - authorizationclient "github.com/openshift/client-go/authorization/clientset/versioned" authorizationtypedclient "github.com/openshift/client-go/authorization/clientset/versioned/typed/authorization/v1" userclient "github.com/openshift/client-go/user/clientset/versioned" userinformer "github.com/openshift/client-go/user/informers/externalversions" @@ -46,8 +47,7 @@ type restrictUsersAdmission struct { groupCache GroupCache } -var _ = oadmission.WantsOpenshiftInternalAuthorizationClient(&restrictUsersAdmission{}) -var _ = oadmission.WantsOpenshiftInternalUserClient(&restrictUsersAdmission{}) +var _ = oadmission.WantsRESTClientConfig(&restrictUsersAdmission{}) var _ = oadmission.WantsUserInformer(&restrictUsersAdmission{}) var _ = kadmission.WantsInternalKubeClientSet(&restrictUsersAdmission{}) @@ -63,12 +63,18 @@ func (q *restrictUsersAdmission) SetInternalKubeClientSet(c kclientset.Interface q.kclient = c } -func (q *restrictUsersAdmission) SetOpenshiftInternalAuthorizationClient(roleBindingRestrictionsGetter authorizationclient.Interface) { - q.roleBindingRestrictionsGetter = roleBindingRestrictionsGetter.Authorization() -} - -func (q *restrictUsersAdmission) SetOpenshiftInternalUserClient(userClient userclient.Interface) { - q.userClient = userClient +func (q *restrictUsersAdmission) SetRESTClientConfig(restClientConfig rest.Config) { + var err error + q.roleBindingRestrictionsGetter, err = authorizationtypedclient.NewForConfig(&restClientConfig) + if err != nil { + utilruntime.HandleError(err) + return + } + q.userClient, err = userclient.NewForConfig(&restClientConfig) + if err != nil { + utilruntime.HandleError(err) + return + } } func (q *restrictUsersAdmission) SetUserInformer(userInformers userinformer.SharedInformerFactory) { diff --git a/pkg/authorization/apiserver/admission/restrictusers/restrictusers_test.go b/pkg/authorization/apiserver/admission/restrictusers/restrictusers_test.go index 88aac88f2ff0..b4badf4b6a52 100644 --- a/pkg/authorization/apiserver/admission/restrictusers/restrictusers_test.go +++ b/pkg/authorization/apiserver/admission/restrictusers/restrictusers_test.go @@ -5,6 +5,10 @@ import ( "strings" "testing" + authorizationapi "github.com/openshift/api/authorization/v1" + userapi "github.com/openshift/api/user/v1" + fakeauthorizationclient "github.com/openshift/client-go/authorization/clientset/versioned/fake" + fakeuserclient "github.com/openshift/client-go/user/clientset/versioned/fake" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -13,13 +17,6 @@ import ( kapi "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/apis/rbac" "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake" - kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" - - authorizationapi "github.com/openshift/api/authorization/v1" - userapi "github.com/openshift/api/user/v1" - fakeauthorizationclient "github.com/openshift/client-go/authorization/clientset/versioned/fake" - fakeuserclient "github.com/openshift/client-go/user/clientset/versioned/fake" - oadmission "github.com/openshift/origin/pkg/cmd/server/admission" ) func TestAdmission(t *testing.T) { @@ -365,9 +362,9 @@ func TestAdmission(t *testing.T) { t.Errorf("unexpected error initializing admission plugin: %v", err) } - plugin.(kadmission.WantsInternalKubeClientSet).SetInternalKubeClientSet(kclientset) - plugin.(oadmission.WantsOpenshiftInternalAuthorizationClient).SetOpenshiftInternalAuthorizationClient(fakeAuthorizationClient) - plugin.(oadmission.WantsOpenshiftInternalUserClient).SetOpenshiftInternalUserClient(fakeUserClient) + plugin.(*restrictUsersAdmission).kclient = kclientset + plugin.(*restrictUsersAdmission).roleBindingRestrictionsGetter = fakeAuthorizationClient.AuthorizationV1() + plugin.(*restrictUsersAdmission).userClient = fakeUserClient plugin.(*restrictUsersAdmission).groupCache = fakeGroupCache{} err = admission.ValidateInitialization(plugin) diff --git a/pkg/build/apiserver/admission/strategyrestrictions/admission.go b/pkg/build/apiserver/admission/strategyrestrictions/admission.go index 91235199b015..a4071356cbf6 100644 --- a/pkg/build/apiserver/admission/strategyrestrictions/admission.go +++ b/pkg/build/apiserver/admission/strategyrestrictions/admission.go @@ -5,24 +5,26 @@ import ( "io" "strings" - "github.com/openshift/api/build" - "github.com/openshift/origin/pkg/api/legacy" - "github.com/openshift/origin/pkg/build/buildscheme" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apiserver/pkg/admission" + "k8s.io/client-go/rest" + "k8s.io/kubernetes/pkg/apis/authorization" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" + "github.com/openshift/api/build" buildclient "github.com/openshift/client-go/build/clientset/versioned" + "github.com/openshift/origin/pkg/api/legacy" "github.com/openshift/origin/pkg/authorization/util" buildapi "github.com/openshift/origin/pkg/build/apis/build" + "github.com/openshift/origin/pkg/build/buildscheme" oadmission "github.com/openshift/origin/pkg/cmd/server/admission" "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" - "k8s.io/kubernetes/pkg/apis/authorization" ) func Register(plugins *admission.Plugins) { @@ -39,7 +41,7 @@ type buildByStrategy struct { } var _ = kubeadmission.WantsInternalKubeClientSet(&buildByStrategy{}) -var _ = oadmission.WantsOpenshiftInternalBuildClient(&buildByStrategy{}) +var _ = oadmission.WantsRESTClientConfig(&buildByStrategy{}) // NewBuildByStrategy returns an admission control for builds that checks // on policy based on the build strategy type @@ -88,8 +90,13 @@ func (a *buildByStrategy) SetInternalKubeClientSet(c internalclientset.Interface a.sarClient = c.Authorization().SubjectAccessReviews() } -func (a *buildByStrategy) SetOpenshiftInternalBuildClient(c buildclient.Interface) { - a.buildClient = c +func (a *buildByStrategy) SetRESTClientConfig(restClientConfig rest.Config) { + var err error + a.buildClient, err = buildclient.NewForConfig(&restClientConfig) + if err != nil { + utilruntime.HandleError(err) + return + } } func (a *buildByStrategy) ValidateInitialization() error { diff --git a/pkg/cmd/openshift-apiserver/server.go b/pkg/cmd/openshift-apiserver/server.go index ccd6e40fc2c1..0f38ba4606f2 100644 --- a/pkg/cmd/openshift-apiserver/server.go +++ b/pkg/cmd/openshift-apiserver/server.go @@ -51,7 +51,7 @@ func RunOpenShiftAPIServer(masterConfig *configapi.MasterConfig) error { return err } - if err := informers.GetInternalOpenshiftUserInformers().User().V1().Groups().Informer().AddIndexers(cache.Indexers{ + if err := informers.GetOpenshiftUserInformers().User().V1().Groups().Informer().AddIndexers(cache.Indexers{ usercache.ByUserIndexName: usercache.ByUserIndexKeys, }); err != nil { return err diff --git a/pkg/cmd/openshift-controller-manager/controller_manager.go b/pkg/cmd/openshift-controller-manager/controller_manager.go index 3eaed6727e91..a8158a60283a 100644 --- a/pkg/cmd/openshift-controller-manager/controller_manager.go +++ b/pkg/cmd/openshift-controller-manager/controller_manager.go @@ -146,7 +146,7 @@ func newControllerContext( InternalNetworkInformers: originInformers.GetInternalOpenshiftNetworkInformers(), InternalQuotaInformers: originInformers.GetInternalOpenshiftQuotaInformers(), InternalSecurityInformers: originInformers.GetInternalOpenshiftSecurityInformers(), - InternalRouteInformers: originInformers.GetInternalOpenshiftRouteInformers(), + InternalRouteInformers: originInformers.GetOpenshiftRouteInformers(), InternalTemplateInformers: originInformers.GetInternalOpenshiftTemplateInformers(), GenericResourceInformer: originInformers.ToGenericInformer(), Stop: stopCh, diff --git a/pkg/cmd/server/admission/init.go b/pkg/cmd/server/admission/init.go index e0c76ef5ddec..d671fa466c3f 100644 --- a/pkg/cmd/server/admission/init.go +++ b/pkg/cmd/server/admission/init.go @@ -2,85 +2,45 @@ package admission import ( "k8s.io/apiserver/pkg/admission" - "k8s.io/apiserver/pkg/admission/initializer" - kauthorizer "k8s.io/apiserver/pkg/authorization/authorizer" restclient "k8s.io/client-go/rest" - kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" - kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" "k8s.io/kubernetes/pkg/quota" - authorizationclient "github.com/openshift/client-go/authorization/clientset/versioned" - buildclient "github.com/openshift/client-go/build/clientset/versioned" - userclient "github.com/openshift/client-go/user/clientset/versioned" userinformer "github.com/openshift/client-go/user/informers/externalversions" configapi "github.com/openshift/origin/pkg/cmd/server/apis/config" imageapi "github.com/openshift/origin/pkg/image/apis/image" - imageclient "github.com/openshift/origin/pkg/image/generated/internalclientset" "github.com/openshift/origin/pkg/project/cache" "github.com/openshift/origin/pkg/quota/controller/clusterquotamapping" quotainformer "github.com/openshift/origin/pkg/quota/generated/informers/internalversion/quota/internalversion" - quotaclient "github.com/openshift/origin/pkg/quota/generated/internalclientset" securityinformer "github.com/openshift/origin/pkg/security/generated/informers/internalversion" ) type PluginInitializer struct { - OpenshiftInternalAuthorizationClient authorizationclient.Interface - OpenshiftInternalBuildClient buildclient.Interface - OpenshiftInternalImageClient imageclient.Interface - OpenshiftInternalQuotaClient quotaclient.Interface - OpenshiftInternalUserClient userclient.Interface - ProjectCache *cache.ProjectCache - OriginQuotaRegistry quota.Registry - Authorizer kauthorizer.Authorizer - JenkinsPipelineConfig configapi.JenkinsPipelineConfig - RESTClientConfig restclient.Config - Informers kinternalinformers.SharedInformerFactory - ClusterResourceQuotaInformer quotainformer.ClusterResourceQuotaInformer - ClusterQuotaMapper clusterquotamapping.ClusterQuotaMapper - RegistryHostnameRetriever imageapi.RegistryHostnameRetriever - SecurityInformers securityinformer.SharedInformerFactory - UserInformers userinformer.SharedInformerFactory + ProjectCache *cache.ProjectCache + OriginQuotaRegistry quota.Registry + JenkinsPipelineConfig configapi.JenkinsPipelineConfig + RESTClientConfig restclient.Config + ClusterResourceQuotaInformer quotainformer.ClusterResourceQuotaInformer + ClusterQuotaMapper clusterquotamapping.ClusterQuotaMapper + RegistryHostnameRetriever imageapi.RegistryHostnameRetriever + SecurityInformers securityinformer.SharedInformerFactory + UserInformers userinformer.SharedInformerFactory } // Initialize will check the initialization interfaces implemented by each plugin // and provide the appropriate initialization data func (i *PluginInitializer) Initialize(plugin admission.Interface) { - if wantsOpenshiftAuthorizationClient, ok := plugin.(WantsOpenshiftInternalAuthorizationClient); ok { - wantsOpenshiftAuthorizationClient.SetOpenshiftInternalAuthorizationClient(i.OpenshiftInternalAuthorizationClient) - } - if wantsOpenshiftBuildClient, ok := plugin.(WantsOpenshiftInternalBuildClient); ok { - wantsOpenshiftBuildClient.SetOpenshiftInternalBuildClient(i.OpenshiftInternalBuildClient) - } - if wantsOpenshiftImageClient, ok := plugin.(WantsOpenshiftInternalImageClient); ok { - wantsOpenshiftImageClient.SetOpenshiftInternalImageClient(i.OpenshiftInternalImageClient) - } - if wantsOpenshiftQuotaClient, ok := plugin.(WantsOpenshiftInternalQuotaClient); ok { - wantsOpenshiftQuotaClient.SetOpenshiftInternalQuotaClient(i.OpenshiftInternalQuotaClient) - } - if wantsOpenshiftInternalUserClient, ok := plugin.(WantsOpenshiftInternalUserClient); ok { - wantsOpenshiftInternalUserClient.SetOpenshiftInternalUserClient(i.OpenshiftInternalUserClient) - } if wantsProjectCache, ok := plugin.(WantsProjectCache); ok { wantsProjectCache.SetProjectCache(i.ProjectCache) } if wantsOriginQuotaRegistry, ok := plugin.(WantsOriginQuotaRegistry); ok { wantsOriginQuotaRegistry.SetOriginQuotaRegistry(i.OriginQuotaRegistry) } - if kubeWantsAuthorizer, ok := plugin.(initializer.WantsAuthorizer); ok { - kubeWantsAuthorizer.SetAuthorizer(i.Authorizer) - } if wantsJenkinsPipelineConfig, ok := plugin.(WantsJenkinsPipelineConfig); ok { wantsJenkinsPipelineConfig.SetJenkinsPipelineConfig(i.JenkinsPipelineConfig) } if wantsRESTClientConfig, ok := plugin.(WantsRESTClientConfig); ok { wantsRESTClientConfig.SetRESTClientConfig(i.RESTClientConfig) } - if wantsInformers, ok := plugin.(WantsInternalKubernetesInformers); ok { - wantsInformers.SetInternalKubernetesInformers(i.Informers) - } - if wantsInformerFactory, ok := plugin.(kubeapiserveradmission.WantsInternalKubeInformerFactory); ok { - wantsInformerFactory.SetInternalKubeInformerFactory(i.Informers) - } if wantsClusterQuota, ok := plugin.(WantsClusterQuota); ok { wantsClusterQuota.SetClusterQuota(i.ClusterQuotaMapper, i.ClusterResourceQuotaInformer) } diff --git a/pkg/cmd/server/admission/types.go b/pkg/cmd/server/admission/types.go index 9971abe97ef1..e9261a6e141f 100644 --- a/pkg/cmd/server/admission/types.go +++ b/pkg/cmd/server/admission/types.go @@ -3,53 +3,16 @@ package admission import ( "k8s.io/apiserver/pkg/admission" restclient "k8s.io/client-go/rest" - kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" "k8s.io/kubernetes/pkg/quota" - authorizationclient "github.com/openshift/client-go/authorization/clientset/versioned" - buildclient "github.com/openshift/client-go/build/clientset/versioned" - userclient "github.com/openshift/client-go/user/clientset/versioned" userinformer "github.com/openshift/client-go/user/informers/externalversions" configapi "github.com/openshift/origin/pkg/cmd/server/apis/config" - imageclient "github.com/openshift/origin/pkg/image/generated/internalclientset" "github.com/openshift/origin/pkg/project/cache" "github.com/openshift/origin/pkg/quota/controller/clusterquotamapping" quotainformer "github.com/openshift/origin/pkg/quota/generated/informers/internalversion/quota/internalversion" - quotaclient "github.com/openshift/origin/pkg/quota/generated/internalclientset" securityinformer "github.com/openshift/origin/pkg/security/generated/informers/internalversion" ) -type WantsOpenshiftInternalAuthorizationClient interface { - SetOpenshiftInternalAuthorizationClient(authorizationclient.Interface) - admission.InitializationValidator -} - -type WantsOpenshiftInternalBuildClient interface { - SetOpenshiftInternalBuildClient(buildclient.Interface) - admission.InitializationValidator -} - -// WantsOpenshiftInternalQuotaClient should be implemented by admission plugins that need -// an Openshift internal quota client -type WantsOpenshiftInternalQuotaClient interface { - SetOpenshiftInternalQuotaClient(quotaclient.Interface) - admission.InitializationValidator -} - -// WantsOpenshiftInternalUserClient should be implemented by admission plugins that need -// an Openshift internal user client -type WantsOpenshiftInternalUserClient interface { - SetOpenshiftInternalUserClient(userclient.Interface) - admission.InitializationValidator -} - -// WantsOpenshiftInternalImageClient should be implemented by admission plugins that need -// an Openshift internal image client -type WantsOpenshiftInternalImageClient interface { - SetOpenshiftInternalImageClient(imageclient.Interface) - admission.InitializationValidator -} - // WantsProjectCache should be implemented by admission plugins that need a // project cache type WantsProjectCache interface { @@ -76,13 +39,6 @@ type WantsRESTClientConfig interface { admission.InitializationValidator } -// WantsInternalKubernetesInformers should be implemented by admission plugins that need the internal kubernetes -// informers. -type WantsInternalKubernetesInformers interface { - SetInternalKubernetesInformers(kinternalinformers.SharedInformerFactory) - admission.InitializationValidator -} - // WantsClusterQuota should be implemented by admission plugins that need to know how to map between // cluster quota and namespaces and get access to the informer. type WantsClusterQuota interface { diff --git a/pkg/cmd/server/origin/admission/plugin_initializer.go b/pkg/cmd/server/origin/admission/plugin_initializer.go index 79339412f5c9..e762b3914628 100644 --- a/pkg/cmd/server/origin/admission/plugin_initializer.go +++ b/pkg/cmd/server/origin/admission/plugin_initializer.go @@ -5,23 +5,6 @@ import ( "io/ioutil" "os" - authorizationclient "github.com/openshift/client-go/authorization/clientset/versioned" - buildclient "github.com/openshift/client-go/build/clientset/versioned" - userclient "github.com/openshift/client-go/user/clientset/versioned" - userinformer "github.com/openshift/client-go/user/informers/externalversions" - oadmission "github.com/openshift/origin/pkg/cmd/server/admission" - configapi "github.com/openshift/origin/pkg/cmd/server/apis/config" - kubernetes "github.com/openshift/origin/pkg/cmd/server/kubernetes/master" - imageapi "github.com/openshift/origin/pkg/image/apis/image" - imageinformer "github.com/openshift/origin/pkg/image/generated/informers/internalversion" - imageclient "github.com/openshift/origin/pkg/image/generated/internalclientset" - projectcache "github.com/openshift/origin/pkg/project/cache" - "github.com/openshift/origin/pkg/quota/controller/clusterquotamapping" - quotainformer "github.com/openshift/origin/pkg/quota/generated/informers/internalversion" - quotaclient "github.com/openshift/origin/pkg/quota/generated/internalclientset" - "github.com/openshift/origin/pkg/quota/image" - securityinformer "github.com/openshift/origin/pkg/security/generated/informers/internalversion" - "github.com/openshift/origin/pkg/service" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -40,6 +23,20 @@ import ( kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" "k8s.io/kubernetes/pkg/quota/generic" "k8s.io/kubernetes/pkg/quota/install" + + userinformer "github.com/openshift/client-go/user/informers/externalversions" + oadmission "github.com/openshift/origin/pkg/cmd/server/admission" + configapi "github.com/openshift/origin/pkg/cmd/server/apis/config" + kubernetes "github.com/openshift/origin/pkg/cmd/server/kubernetes/master" + imageapi "github.com/openshift/origin/pkg/image/apis/image" + imageinformer "github.com/openshift/origin/pkg/image/generated/informers/internalversion" + imageclient "github.com/openshift/origin/pkg/image/generated/internalclientset" + projectcache "github.com/openshift/origin/pkg/project/cache" + "github.com/openshift/origin/pkg/quota/controller/clusterquotamapping" + quotainformer "github.com/openshift/origin/pkg/quota/generated/informers/internalversion" + "github.com/openshift/origin/pkg/quota/image" + securityinformer "github.com/openshift/origin/pkg/security/generated/informers/internalversion" + "github.com/openshift/origin/pkg/service" ) type InformerAccess interface { @@ -48,7 +45,7 @@ type InformerAccess interface { GetInternalOpenshiftImageInformers() imageinformer.SharedInformerFactory GetInternalOpenshiftQuotaInformers() quotainformer.SharedInformerFactory GetInternalOpenshiftSecurityInformers() securityinformer.SharedInformerFactory - GetInternalOpenshiftUserInformers() userinformer.SharedInformerFactory + GetOpenshiftUserInformers() userinformer.SharedInformerFactory } func NewPluginInitializer( @@ -68,26 +65,10 @@ func NewPluginInitializer( if err != nil { return nil, err } - authorizationClient, err := authorizationclient.NewForConfig(privilegedLoopbackConfig) - if err != nil { - return nil, err - } - buildClient, err := buildclient.NewForConfig(privilegedLoopbackConfig) - if err != nil { - return nil, err - } imageClient, err := imageclient.NewForConfig(privilegedLoopbackConfig) if err != nil { return nil, err } - quotaClient, err := quotaclient.NewForConfig(privilegedLoopbackConfig) - if err != nil { - return nil, err - } - userClient, err := userclient.NewForConfig(privilegedLoopbackConfig) - if err != nil { - return nil, err - } // TODO make a union registry quotaRegistry := generic.NewRegistry(install.NewQuotaConfigurationForAdmission().Evaluators()) @@ -158,22 +139,15 @@ func NewPluginInitializer( ) openshiftPluginInitializer := &oadmission.PluginInitializer{ - OpenshiftInternalAuthorizationClient: authorizationClient, - OpenshiftInternalBuildClient: buildClient, - OpenshiftInternalImageClient: imageClient, - OpenshiftInternalQuotaClient: quotaClient, - OpenshiftInternalUserClient: userClient, - ProjectCache: projectCache, - OriginQuotaRegistry: quotaRegistry, - Authorizer: authorizer, - JenkinsPipelineConfig: options.JenkinsPipelineConfig, - RESTClientConfig: *privilegedLoopbackConfig, - Informers: informers.GetInternalKubernetesInformers(), - ClusterResourceQuotaInformer: informers.GetInternalOpenshiftQuotaInformers().Quota().InternalVersion().ClusterResourceQuotas(), - ClusterQuotaMapper: clusterQuotaMappingController.GetClusterQuotaMapper(), - RegistryHostnameRetriever: imageapi.DefaultRegistryHostnameRetriever(defaultRegistryFunc, options.ImagePolicyConfig.ExternalRegistryHostname, options.ImagePolicyConfig.InternalRegistryHostname), - SecurityInformers: informers.GetInternalOpenshiftSecurityInformers(), - UserInformers: informers.GetInternalOpenshiftUserInformers(), + ProjectCache: projectCache, + OriginQuotaRegistry: quotaRegistry, + JenkinsPipelineConfig: options.JenkinsPipelineConfig, + RESTClientConfig: *privilegedLoopbackConfig, + ClusterResourceQuotaInformer: informers.GetInternalOpenshiftQuotaInformers().Quota().InternalVersion().ClusterResourceQuotas(), + ClusterQuotaMapper: clusterQuotaMappingController.GetClusterQuotaMapper(), + RegistryHostnameRetriever: imageapi.DefaultRegistryHostnameRetriever(defaultRegistryFunc, options.ImagePolicyConfig.ExternalRegistryHostname, options.ImagePolicyConfig.InternalRegistryHostname), + SecurityInformers: informers.GetInternalOpenshiftSecurityInformers(), + UserInformers: informers.GetOpenshiftUserInformers(), } return admission.PluginInitializers{genericInitializer, webhookInitializer, kubePluginInitializer, openshiftPluginInitializer}, nil diff --git a/pkg/cmd/server/origin/authenticator.go b/pkg/cmd/server/origin/authenticator.go index 7ada16f4e97c..24e151b485a0 100644 --- a/pkg/cmd/server/origin/authenticator.go +++ b/pkg/cmd/server/origin/authenticator.go @@ -68,7 +68,7 @@ func NewAuthenticator( serviceAccountTokenGetter, userClient.User().Users(), apiClientCAs, - usercache.NewGroupCache(informers.GetInternalOpenshiftUserInformers().User().V1().Groups()), + usercache.NewGroupCache(informers.GetOpenshiftUserInformers().User().V1().Groups()), ) } diff --git a/pkg/cmd/server/origin/informers.go b/pkg/cmd/server/origin/informers.go index b9f40d8cac0b..d179772feb51 100644 --- a/pkg/cmd/server/origin/informers.go +++ b/pkg/cmd/server/origin/informers.go @@ -242,7 +242,7 @@ func (i *informerHolder) GetInternalOpenshiftOauthInformers() oauthinformer.Shar func (i *informerHolder) GetInternalOpenshiftQuotaInformers() quotainformer.SharedInformerFactory { return i.quotaInformers } -func (i *informerHolder) GetInternalOpenshiftRouteInformers() routeinformer.SharedInformerFactory { +func (i *informerHolder) GetOpenshiftRouteInformers() routeinformer.SharedInformerFactory { return i.routeInformers } func (i *informerHolder) GetInternalOpenshiftSecurityInformers() securityinformer.SharedInformerFactory { @@ -251,7 +251,7 @@ func (i *informerHolder) GetInternalOpenshiftSecurityInformers() securityinforme func (i *informerHolder) GetInternalOpenshiftTemplateInformers() templateinformer.SharedInformerFactory { return i.templateInformers } -func (i *informerHolder) GetInternalOpenshiftUserInformers() userinformer.SharedInformerFactory { +func (i *informerHolder) GetOpenshiftUserInformers() userinformer.SharedInformerFactory { return i.userInformers } @@ -298,7 +298,7 @@ func (i *informerHolder) ToGenericInformer() GenericResourceInformer { return i.GetInternalOpenshiftQuotaInformers().ForResource(resource) }), genericResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) { - return i.GetInternalOpenshiftRouteInformers().ForResource(resource) + return i.GetOpenshiftRouteInformers().ForResource(resource) }), genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) { return i.GetInternalOpenshiftSecurityInformers().ForResource(resource) @@ -307,7 +307,7 @@ func (i *informerHolder) ToGenericInformer() GenericResourceInformer { return i.GetInternalOpenshiftTemplateInformers().ForResource(resource) }), genericResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) { - return i.GetInternalOpenshiftUserInformers().ForResource(resource) + return i.GetOpenshiftUserInformers().ForResource(resource) }), ) } diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go index 715476fea57d..f3142446edbb 100644 --- a/pkg/cmd/server/origin/master_config.go +++ b/pkg/cmd/server/origin/master_config.go @@ -110,6 +110,8 @@ type InformerAccess interface { GetKubernetesInformers() kinformers.SharedInformerFactory GetOpenshiftAppInformers() appsinformer.SharedInformerFactory + GetOpenshiftRouteInformers() routeinformer.SharedInformerFactory + GetOpenshiftUserInformers() userinformer.SharedInformerFactory GetInternalOpenshiftAuthorizationInformers() authorizationinformer.SharedInformerFactory GetInternalOpenshiftBuildInformers() buildinformer.SharedInformerFactory @@ -118,8 +120,6 @@ type InformerAccess interface { GetInternalOpenshiftOauthInformers() oauthinformer.SharedInformerFactory GetInternalOpenshiftQuotaInformers() quotainformer.SharedInformerFactory GetInternalOpenshiftSecurityInformers() securityinformer.SharedInformerFactory - GetInternalOpenshiftRouteInformers() routeinformer.SharedInformerFactory - GetInternalOpenshiftUserInformers() userinformer.SharedInformerFactory GetInternalOpenshiftTemplateInformers() templateinformer.SharedInformerFactory ToGenericInformer() GenericResourceInformer @@ -145,7 +145,7 @@ func BuildMasterConfig( if err != nil { return nil, err } - if err := realLoopbackInformers.GetInternalOpenshiftUserInformers().User().V1().Groups().Informer().AddIndexers(cache.Indexers{ + if err := realLoopbackInformers.GetOpenshiftUserInformers().User().V1().Groups().Informer().AddIndexers(cache.Indexers{ usercache.ByUserIndexName: usercache.ByUserIndexKeys, }); err != nil { return nil, err @@ -257,7 +257,7 @@ func BuildMasterConfig( AuthorizationInformers: informers.GetInternalOpenshiftAuthorizationInformers(), QuotaInformers: informers.GetInternalOpenshiftQuotaInformers(), SecurityInformers: informers.GetInternalOpenshiftSecurityInformers(), - RouteInformers: informers.GetInternalOpenshiftRouteInformers(), + RouteInformers: informers.GetOpenshiftRouteInformers(), } for name, hook := range authenticatorPostStartHooks { diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go index 1319515f3392..e9bcef4dc8ff 100644 --- a/pkg/cmd/server/start/start_master.go +++ b/pkg/cmd/server/start/start_master.go @@ -449,7 +449,7 @@ func (m *Master) Start() error { return err } - if err := informers.GetInternalOpenshiftUserInformers().User().V1().Groups().Informer().AddIndexers(cache.Indexers{ + if err := informers.GetOpenshiftUserInformers().User().V1().Groups().Informer().AddIndexers(cache.Indexers{ usercache.ByUserIndexName: usercache.ByUserIndexKeys, }); err != nil { return err diff --git a/pkg/image/apiserver/admission/imagepolicy/imagepolicy.go b/pkg/image/apiserver/admission/imagepolicy/imagepolicy.go index 2f0586f8e12a..72a3e3d01a0c 100644 --- a/pkg/image/apiserver/admission/imagepolicy/imagepolicy.go +++ b/pkg/image/apiserver/admission/imagepolicy/imagepolicy.go @@ -14,6 +14,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/diff" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/admission" @@ -26,9 +27,9 @@ import ( "github.com/openshift/origin/pkg/image/apiserver/admission/apis/imagepolicy" "github.com/openshift/origin/pkg/image/apiserver/admission/apis/imagepolicy/validation" "github.com/openshift/origin/pkg/image/apiserver/admission/imagepolicy/rules" - imageclient "github.com/openshift/origin/pkg/image/generated/internalclientset" imageinternalclient "github.com/openshift/origin/pkg/image/generated/internalclientset/typed/image/internalversion" "github.com/openshift/origin/pkg/project/cache" + "k8s.io/client-go/rest" ) func Register(plugins *admission.Plugins) { @@ -69,7 +70,7 @@ type imagePolicyPlugin struct { resolver imageResolver } -var _ = oadmission.WantsOpenshiftInternalImageClient(&imagePolicyPlugin{}) +var _ = oadmission.WantsRESTClientConfig(&imagePolicyPlugin{}) var _ = oadmission.WantsDefaultRegistryFunc(&imagePolicyPlugin{}) type integratedRegistryMatcher struct { @@ -116,8 +117,13 @@ func (a *imagePolicyPlugin) SetDefaultRegistryFunc(fn func() (string, bool)) { a.integratedRegistryMatcher.RegistryMatcher = rules.RegistryNameMatcher(fn) } -func (a *imagePolicyPlugin) SetOpenshiftInternalImageClient(c imageclient.Interface) { - a.client = c.Image() +func (a *imagePolicyPlugin) SetRESTClientConfig(restClientConfig rest.Config) { + var err error + a.client, err = imageinternalclient.NewForConfig(&restClientConfig) + if err != nil { + utilruntime.HandleError(err) + return + } } func (a *imagePolicyPlugin) SetProjectCache(c *cache.ProjectCache) { diff --git a/pkg/image/apiserver/admission/imagepolicy/imagepolicy_test.go b/pkg/image/apiserver/admission/imagepolicy/imagepolicy_test.go index 57f4d006285d..7183f37f700f 100644 --- a/pkg/image/apiserver/admission/imagepolicy/imagepolicy_test.go +++ b/pkg/image/apiserver/admission/imagepolicy/imagepolicy_test.go @@ -128,7 +128,7 @@ func TestDefaultPolicy(t *testing.T) { }) store := setDefaultCache(plugin) - plugin.SetOpenshiftInternalImageClient(client) + plugin.client = client.Image() plugin.SetDefaultRegistryFunc(func() (string, bool) { return "integrated.registry", true }) @@ -1304,7 +1304,7 @@ func TestAdmissionResolveImages(t *testing.T) { } setDefaultCache(p) - p.SetOpenshiftInternalImageClient(test.client) + p.client = test.client.Image() p.SetDefaultRegistryFunc(func() (string, bool) { return "integrated.registry", true }) diff --git a/pkg/project/apiserver/admission/requestlimit/admission.go b/pkg/project/apiserver/admission/requestlimit/admission.go index 9a78ddb730bc..8bb5ee03f24e 100644 --- a/pkg/project/apiserver/admission/requestlimit/admission.go +++ b/pkg/project/apiserver/admission/requestlimit/admission.go @@ -8,12 +8,13 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/authentication/serviceaccount" + "k8s.io/client-go/rest" kapi "k8s.io/kubernetes/pkg/apis/core" "github.com/openshift/api/project" - userclient "github.com/openshift/client-go/user/clientset/versioned" usertypedclient "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1" "github.com/openshift/origin/pkg/api/legacy" oadmission "github.com/openshift/origin/pkg/cmd/server/admission" @@ -72,7 +73,7 @@ type projectRequestLimit struct { // ensure that the required Openshift admission interfaces are implemented var _ = oadmission.WantsProjectCache(&projectRequestLimit{}) -var _ = oadmission.WantsOpenshiftInternalUserClient(&projectRequestLimit{}) +var _ = oadmission.WantsRESTClientConfig(&projectRequestLimit{}) // Admit ensures that only a configured number of projects can be requested by a particular user. func (o *projectRequestLimit) Admit(a admission.Attributes) (err error) { @@ -171,8 +172,13 @@ func (o *projectRequestLimit) projectCountByRequester(userName string) (int, err return count, nil } -func (o *projectRequestLimit) SetOpenshiftInternalUserClient(client userclient.Interface) { - o.userClient = client.User() +func (o *projectRequestLimit) SetRESTClientConfig(restClientConfig rest.Config) { + var err error + o.userClient, err = usertypedclient.NewForConfig(&restClientConfig) + if err != nil { + utilruntime.HandleError(err) + return + } } func (o *projectRequestLimit) SetProjectCache(cache *projectcache.ProjectCache) { diff --git a/pkg/project/apiserver/admission/requestlimit/admission_test.go b/pkg/project/apiserver/admission/requestlimit/admission_test.go index c2a46f0cf1de..bd2b33dc9972 100644 --- a/pkg/project/apiserver/admission/requestlimit/admission_test.go +++ b/pkg/project/apiserver/admission/requestlimit/admission_test.go @@ -154,7 +154,7 @@ func TestMaxProjectByRequester(t *testing.T) { } user := fakeUser("testuser", tc.userLabels) client := fakeuserclient.NewSimpleClientset(user) - reqLimit.(oadmission.WantsOpenshiftInternalUserClient).SetOpenshiftInternalUserClient(client) + reqLimit.(*projectRequestLimit).userClient = client.UserV1() maxProjects, hasLimit, err := reqLimit.(*projectRequestLimit).maxProjectsByRequester("testuser") if err != nil { @@ -278,7 +278,7 @@ func TestAdmit(t *testing.T) { if err != nil { t.Fatalf("Unexpected error: %v", err) } - reqLimit.(oadmission.WantsOpenshiftInternalUserClient).SetOpenshiftInternalUserClient(client) + reqLimit.(*projectRequestLimit).userClient = client.UserV1() reqLimit.(oadmission.WantsProjectCache).SetProjectCache(pCache) if err = reqLimit.(admission.InitializationValidator).ValidateInitialization(); err != nil { t.Fatalf("validation error: %v", err) diff --git a/pkg/quota/apiserver/admission/clusterresourcequota/admission.go b/pkg/quota/apiserver/admission/clusterresourcequota/admission.go index 5a5ed0b1a328..18f587d4c59a 100644 --- a/pkg/quota/apiserver/admission/clusterresourcequota/admission.go +++ b/pkg/quota/apiserver/admission/clusterresourcequota/admission.go @@ -8,12 +8,14 @@ import ( "time" "k8s.io/apimachinery/pkg/runtime/schema" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" utilwait "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" kapi "k8s.io/kubernetes/pkg/apis/core" kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" kcorelisters "k8s.io/kubernetes/pkg/client/listers/core/internalversion" + kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" "k8s.io/kubernetes/pkg/quota" "k8s.io/kubernetes/pkg/quota/install" "k8s.io/kubernetes/plugin/pkg/admission/resourcequota" @@ -22,9 +24,9 @@ import ( oadmission "github.com/openshift/origin/pkg/cmd/server/admission" "github.com/openshift/origin/pkg/quota/controller/clusterquotamapping" quotainformer "github.com/openshift/origin/pkg/quota/generated/informers/internalversion/quota/internalversion" - quotaclient "github.com/openshift/origin/pkg/quota/generated/internalclientset" quotatypedclient "github.com/openshift/origin/pkg/quota/generated/internalclientset/typed/quota/internalversion" quotalister "github.com/openshift/origin/pkg/quota/generated/listers/quota/internalversion" + "k8s.io/client-go/rest" ) func Register(plugins *admission.Plugins) { @@ -55,8 +57,8 @@ type clusterQuotaAdmission struct { evaluator resourcequota.Evaluator } -var _ oadmission.WantsInternalKubernetesInformers = &clusterQuotaAdmission{} -var _ oadmission.WantsOpenshiftInternalQuotaClient = &clusterQuotaAdmission{} +var _ kubeapiserveradmission.WantsInternalKubeInformerFactory = &clusterQuotaAdmission{} +var _ oadmission.WantsRESTClientConfig = &clusterQuotaAdmission{} var _ oadmission.WantsClusterQuota = &clusterQuotaAdmission{} const ( @@ -136,13 +138,18 @@ func (q *clusterQuotaAdmission) SetOriginQuotaRegistry(registry quota.Registry) q.registry = registry } -func (q *clusterQuotaAdmission) SetInternalKubernetesInformers(informers kinternalinformers.SharedInformerFactory) { +func (q *clusterQuotaAdmission) SetInternalKubeInformerFactory(informers kinternalinformers.SharedInformerFactory) { q.namespaceLister = informers.Core().InternalVersion().Namespaces().Lister() q.namespaceSynced = informers.Core().InternalVersion().Namespaces().Informer().HasSynced } -func (q *clusterQuotaAdmission) SetOpenshiftInternalQuotaClient(client quotaclient.Interface) { - q.clusterQuotaClient = client.Quota() +func (q *clusterQuotaAdmission) SetRESTClientConfig(restClientConfig rest.Config) { + var err error + q.clusterQuotaClient, err = quotatypedclient.NewForConfig(&restClientConfig) + if err != nil { + utilruntime.HandleError(err) + return + } } func (q *clusterQuotaAdmission) SetClusterQuota(clusterQuotaMapper clusterquotamapping.ClusterQuotaMapper, informers quotainformer.ClusterResourceQuotaInformer) { diff --git a/pkg/route/apiserver/registry/route/etcd/etcd_test.go b/pkg/route/apiserver/registry/route/etcd/etcd_test.go index 86b698095a1c..9fa7868da1d9 100644 --- a/pkg/route/apiserver/registry/route/etcd/etcd_test.go +++ b/pkg/route/apiserver/registry/route/etcd/etcd_test.go @@ -3,6 +3,7 @@ package etcd import ( "testing" + authorizationapi "k8s.io/api/authorization/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" @@ -13,7 +14,6 @@ import ( "k8s.io/apiserver/pkg/registry/rest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" routetypes "github.com/openshift/origin/pkg/route" routeapi "github.com/openshift/origin/pkg/route/apis/route" From e4c049c31d86f7b142edc494e202fbdc91879133 Mon Sep 17 00:00:00 2001 From: David Eads Date: Tue, 31 Jul 2018 16:19:21 -0400 Subject: [PATCH 2/3] UPSTREAM: 66837: fix panic fake SAR client expansion --- .../v1/fake/fake_subjectaccessreview_expansion.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go index 7ddc58ff4ae5..a2a2f0697ec3 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go @@ -23,5 +23,8 @@ import ( func (c *FakeSubjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) { obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("subjectaccessreviews"), sar), &authorizationapi.SubjectAccessReview{}) + if obj == nil { + return nil, err + } return obj.(*authorizationapi.SubjectAccessReview), err } From c3f94779c3a0a64daca27851ac5b3d88dee3f757 Mon Sep 17 00:00:00 2001 From: David Eads Date: Tue, 31 Jul 2018 15:58:41 -0400 Subject: [PATCH 3/3] switch to external SARs --- pkg/authorization/util/util.go | 16 +++++------ .../strategyrestrictions/admission.go | 28 +++++++++---------- .../strategyrestrictions/admission_test.go | 22 +++++++-------- .../controller/template.go | 1 + pkg/image/apiserver/apiserver.go | 2 +- .../registry/imagestream/etcd/etcd.go | 2 +- .../registry/imagestream/etcd/etcd_test.go | 2 +- .../registry/imagestream/strategy.go | 4 +-- .../registry/imagestream/strategy_test.go | 2 +- .../registry/imagestreamimage/rest_test.go | 2 +- .../registry/imagestreamimport/rest.go | 4 +-- .../registry/imagestreammapping/rest_test.go | 2 +- .../registry/imagestreamtag/rest_test.go | 2 +- pkg/project/apiserver/apiserver.go | 2 +- .../projectrequest/delegated/delegated.go | 4 +-- pkg/route/apiserver/apiserver.go | 2 +- .../apiserver/registry/route/strategy.go | 4 +-- .../apiserver/registry/route/strategy_test.go | 2 +- pkg/template/apiserver/apiserver.go | 2 +- .../registry/templateinstance/etcd/etcd.go | 4 +-- .../registry/templateinstance/strategy.go | 10 +++---- .../controller/templateinstance_controller.go | 17 ++++++----- .../templateinstance_controller_test.go | 9 ++++-- 23 files changed, 75 insertions(+), 70 deletions(-) diff --git a/pkg/authorization/util/util.go b/pkg/authorization/util/util.go index 0b15803e9120..03c2a68af425 100644 --- a/pkg/authorization/util/util.go +++ b/pkg/authorization/util/util.go @@ -3,24 +3,24 @@ package util import ( "errors" + authorizationv1 "k8s.io/api/authorization/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/kubernetes/pkg/apis/authorization" - "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" ) // AddUserToSAR adds the requisite user information to a SubjectAccessReview. // It returns the modified SubjectAccessReview. -func AddUserToSAR(user user.Info, sar *authorization.SubjectAccessReview) *authorization.SubjectAccessReview { +func AddUserToSAR(user user.Info, sar *authorizationv1.SubjectAccessReview) *authorizationv1.SubjectAccessReview { sar.Spec.User = user.GetName() // reminiscent of the bad old days of C. Copies copy the min number of elements of both source and dest sar.Spec.Groups = make([]string, len(user.GetGroups())) copy(sar.Spec.Groups, user.GetGroups()) - sar.Spec.Extra = map[string]authorization.ExtraValue{} + sar.Spec.Extra = map[string]authorizationv1.ExtraValue{} for k, v := range user.GetExtra() { - sar.Spec.Extra[k] = authorization.ExtraValue(v) + sar.Spec.Extra[k] = authorizationv1.ExtraValue(v) } return sar @@ -29,9 +29,9 @@ func AddUserToSAR(user user.Info, sar *authorization.SubjectAccessReview) *autho // Authorize verifies that a given user is permitted to carry out a given // action. If this cannot be determined, or if the user is not permitted, an // error is returned. -func Authorize(sarClient internalversion.SubjectAccessReviewInterface, user user.Info, resourceAttributes *authorization.ResourceAttributes) error { - sar := AddUserToSAR(user, &authorization.SubjectAccessReview{ - Spec: authorization.SubjectAccessReviewSpec{ +func Authorize(sarClient authorizationclient.SubjectAccessReviewInterface, user user.Info, resourceAttributes *authorizationv1.ResourceAttributes) error { + sar := AddUserToSAR(user, &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ ResourceAttributes: resourceAttributes, }, }) diff --git a/pkg/build/apiserver/admission/strategyrestrictions/admission.go b/pkg/build/apiserver/admission/strategyrestrictions/admission.go index a4071356cbf6..60e5e708d73b 100644 --- a/pkg/build/apiserver/admission/strategyrestrictions/admission.go +++ b/pkg/build/apiserver/admission/strategyrestrictions/admission.go @@ -5,16 +5,15 @@ import ( "io" "strings" + authorizationv1 "k8s.io/api/authorization/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apiserver/pkg/admission" + "k8s.io/client-go/kubernetes" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/client-go/rest" - "k8s.io/kubernetes/pkg/apis/authorization" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" - "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" - kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" "github.com/openshift/api/build" @@ -25,6 +24,7 @@ import ( "github.com/openshift/origin/pkg/build/buildscheme" oadmission "github.com/openshift/origin/pkg/cmd/server/admission" "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" + "k8s.io/apiserver/pkg/admission/initializer" ) func Register(plugins *admission.Plugins) { @@ -40,7 +40,7 @@ type buildByStrategy struct { buildClient buildclient.Interface } -var _ = kubeadmission.WantsInternalKubeClientSet(&buildByStrategy{}) +var _ = initializer.WantsExternalKubeClientSet(&buildByStrategy{}) var _ = oadmission.WantsRESTClientConfig(&buildByStrategy{}) // NewBuildByStrategy returns an admission control for builds that checks @@ -86,8 +86,8 @@ func (a *buildByStrategy) Admit(attr admission.Attributes) error { } } -func (a *buildByStrategy) SetInternalKubeClientSet(c internalclientset.Interface) { - a.sarClient = c.Authorization().SubjectAccessReviews() +func (a *buildByStrategy) SetExternalKubeClientSet(c kubernetes.Interface) { + a.sarClient = c.AuthorizationV1().SubjectAccessReviews() } func (a *buildByStrategy) SetRESTClientConfig(restClientConfig rest.Config) { @@ -146,9 +146,9 @@ func (a *buildByStrategy) checkBuildAuthorization(build *buildapi.Build, attr ad subresource = tokens[1] } - sar := util.AddUserToSAR(attr.GetUserInfo(), &authorization.SubjectAccessReview{ - Spec: authorization.SubjectAccessReviewSpec{ - ResourceAttributes: &authorization.ResourceAttributes{ + sar := util.AddUserToSAR(attr.GetUserInfo(), &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ + ResourceAttributes: &authorizationv1.ResourceAttributes{ Namespace: attr.GetNamespace(), Verb: "create", Group: resource.Group, @@ -174,9 +174,9 @@ func (a *buildByStrategy) checkBuildConfigAuthorization(buildConfig *buildapi.Bu subresource = tokens[1] } - sar := util.AddUserToSAR(attr.GetUserInfo(), &authorization.SubjectAccessReview{ - Spec: authorization.SubjectAccessReviewSpec{ - ResourceAttributes: &authorization.ResourceAttributes{ + sar := util.AddUserToSAR(attr.GetUserInfo(), &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ + ResourceAttributes: &authorizationv1.ResourceAttributes{ Namespace: attr.GetNamespace(), Verb: "create", Group: resource.Group, @@ -220,7 +220,7 @@ func (a *buildByStrategy) checkBuildRequestAuthorization(req *buildapi.BuildRequ } } -func (a *buildByStrategy) checkAccess(strategy buildapi.BuildStrategy, subjectAccessReview *authorization.SubjectAccessReview, attr admission.Attributes) error { +func (a *buildByStrategy) checkAccess(strategy buildapi.BuildStrategy, subjectAccessReview *authorizationv1.SubjectAccessReview, attr admission.Attributes) error { resp, err := a.sarClient.Create(subjectAccessReview) if err != nil { return admission.NewForbidden(attr, err) diff --git a/pkg/build/apiserver/admission/strategyrestrictions/admission_test.go b/pkg/build/apiserver/admission/strategyrestrictions/admission_test.go index 079700d4ee77..8927b6bd6eb4 100644 --- a/pkg/build/apiserver/admission/strategyrestrictions/admission_test.go +++ b/pkg/build/apiserver/admission/strategyrestrictions/admission_test.go @@ -4,21 +4,19 @@ import ( "fmt" "testing" + authorizationv1 "k8s.io/api/authorization/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/authentication/user" + fakekubeclient "k8s.io/client-go/kubernetes/fake" clientgotesting "k8s.io/client-go/testing" - "k8s.io/kubernetes/pkg/apis/authorization" - fakekubeclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake" - kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" buildapiv1 "github.com/openshift/api/build/v1" fakebuildclient "github.com/openshift/client-go/build/clientset/versioned/fake" buildapi "github.com/openshift/origin/pkg/build/apis/build" - oadmission "github.com/openshift/origin/pkg/cmd/server/admission" "github.com/openshift/api/build" _ "github.com/openshift/origin/pkg/build/apis/build/install" @@ -33,7 +31,7 @@ func TestBuildAdmission(t *testing.T) { object runtime.Object oldObject runtime.Object responseObject runtime.Object - reviewResponse *authorization.SubjectAccessReview + reviewResponse *authorizationv1.SubjectAccessReview expectedResource string expectedSubresource string expectAccept bool @@ -179,7 +177,7 @@ func TestBuildAdmission(t *testing.T) { }, } - emptyResponse := &authorization.SubjectAccessReview{} + emptyResponse := &authorizationv1.SubjectAccessReview{} ops := []admission.Operation{admission.Create, admission.Update} for _, test := range tests { t.Run(test.name, func(t *testing.T) { @@ -191,7 +189,7 @@ func TestBuildAdmission(t *testing.T) { fakeKubeClient := fakekubeclient.NewSimpleClientset() fakeKubeClient.PrependReactor("create", "subjectaccessreviews", func(action clientgotesting.Action) (handled bool, ret runtime.Object, err error) { - review, ok := action.(clientgotesting.CreateAction).GetObject().(*authorization.SubjectAccessReview) + review, ok := action.(clientgotesting.CreateAction).GetObject().(*authorizationv1.SubjectAccessReview) if !ok { return true, emptyResponse, fmt.Errorf("unexpected object received: %#v", review) } @@ -211,8 +209,8 @@ func TestBuildAdmission(t *testing.T) { }) c := NewBuildByStrategy() - c.(kubeadmission.WantsInternalKubeClientSet).SetInternalKubeClientSet(fakeKubeClient) - c.(oadmission.WantsOpenshiftInternalBuildClient).SetOpenshiftInternalBuildClient(fakeBuildClient) + c.(*buildByStrategy).sarClient = fakeKubeClient.AuthorizationV1().SubjectAccessReviews() + c.(*buildByStrategy).buildClient = fakeBuildClient attrs := admission.NewAttributesRecord(test.object, test.oldObject, test.kind.WithVersion("version"), "foo", "test-build", test.resource.WithVersion("version"), test.subResource, op, fakeUser()) err := c.(admission.MutationInterface).Admit(attrs) if err != nil && test.expectAccept { @@ -298,9 +296,9 @@ func v1TestBuildConfig(strategy buildapiv1.BuildStrategy) *buildapiv1.BuildConfi } } -func reviewResponse(allowed bool, msg string) *authorization.SubjectAccessReview { - return &authorization.SubjectAccessReview{ - Status: authorization.SubjectAccessReviewStatus{ +func reviewResponse(allowed bool, msg string) *authorizationv1.SubjectAccessReview { + return &authorizationv1.SubjectAccessReview{ + Status: authorizationv1.SubjectAccessReviewStatus{ Allowed: allowed, Reason: msg, }, diff --git a/pkg/cmd/openshift-controller-manager/controller/template.go b/pkg/cmd/openshift-controller-manager/controller/template.go index e827eea8f74e..7e66cc9e2672 100644 --- a/pkg/cmd/openshift-controller-manager/controller/template.go +++ b/pkg/cmd/openshift-controller-manager/controller/template.go @@ -21,6 +21,7 @@ func RunTemplateInstanceController(ctx ControllerContext) (bool, error) { go templatecontroller.NewTemplateInstanceController( ctx.RestMapper, dynamicClient, + ctx.ClientBuilder.ClientGoClientOrDie(saName).AuthorizationV1(), ctx.ClientBuilder.KubeInternalClientOrDie(saName), ctx.ClientBuilder.OpenshiftInternalBuildClientOrDie(saName), ctx.ClientBuilder.OpenshiftInternalTemplateClientOrDie(saName), diff --git a/pkg/image/apiserver/apiserver.go b/pkg/image/apiserver/apiserver.go index 7e2121e3e2a1..88a2c641c727 100644 --- a/pkg/image/apiserver/apiserver.go +++ b/pkg/image/apiserver/apiserver.go @@ -14,9 +14,9 @@ import ( knet "k8s.io/apimachinery/pkg/util/net" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" restclient "k8s.io/client-go/rest" "k8s.io/client-go/util/flowcontrol" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" coreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion" imageapiv1 "github.com/openshift/api/image/v1" diff --git a/pkg/image/apiserver/registry/imagestream/etcd/etcd.go b/pkg/image/apiserver/registry/imagestream/etcd/etcd.go index a7e173b54995..450b6195e5fc 100644 --- a/pkg/image/apiserver/registry/imagestream/etcd/etcd.go +++ b/pkg/image/apiserver/registry/imagestream/etcd/etcd.go @@ -10,7 +10,7 @@ import ( "k8s.io/apiserver/pkg/registry/generic/registry" "k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/storage" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/printers" printerstorage "k8s.io/kubernetes/pkg/printers/storage" diff --git a/pkg/image/apiserver/registry/imagestream/etcd/etcd_test.go b/pkg/image/apiserver/registry/imagestream/etcd/etcd_test.go index 2ea2fb502472..2f20da37a1f2 100644 --- a/pkg/image/apiserver/registry/imagestream/etcd/etcd_test.go +++ b/pkg/image/apiserver/registry/imagestream/etcd/etcd_test.go @@ -7,6 +7,7 @@ import ( "github.com/openshift/origin/pkg/image/apis/image/validation/fake" admfake "github.com/openshift/origin/pkg/image/apiserver/admission/fake" "github.com/openshift/origin/pkg/util/restoptions" + authorizationapi "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -16,7 +17,6 @@ import ( "k8s.io/apiserver/pkg/registry/rest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" // install all APIs diff --git a/pkg/image/apiserver/registry/imagestream/strategy.go b/pkg/image/apiserver/registry/imagestream/strategy.go index a248330da1e7..04a132fa296b 100644 --- a/pkg/image/apiserver/registry/imagestream/strategy.go +++ b/pkg/image/apiserver/registry/imagestream/strategy.go @@ -6,6 +6,7 @@ import ( "strings" "github.com/golang/glog" + authorizationapi "k8s.io/api/authorization/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -14,11 +15,10 @@ import ( "k8s.io/apiserver/pkg/authentication/user" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/storage/names" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" authorizationutil "github.com/openshift/origin/pkg/authorization/util" imageapi "github.com/openshift/origin/pkg/image/apis/image" diff --git a/pkg/image/apiserver/registry/imagestream/strategy_test.go b/pkg/image/apiserver/registry/imagestream/strategy_test.go index 27dff1316927..ae0c5823fd25 100644 --- a/pkg/image/apiserver/registry/imagestream/strategy_test.go +++ b/pkg/image/apiserver/registry/imagestream/strategy_test.go @@ -9,6 +9,7 @@ import ( "strings" "testing" + authorizationapi "k8s.io/api/authorization/v1" kapierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -17,7 +18,6 @@ import ( "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/authentication/user" apirequest "k8s.io/apiserver/pkg/endpoints/request" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" kquota "k8s.io/kubernetes/pkg/quota" diff --git a/pkg/image/apiserver/registry/imagestreamimage/rest_test.go b/pkg/image/apiserver/registry/imagestreamimage/rest_test.go index 74b3973c370e..75d307fe2242 100644 --- a/pkg/image/apiserver/registry/imagestreamimage/rest_test.go +++ b/pkg/image/apiserver/registry/imagestreamimage/rest_test.go @@ -6,6 +6,7 @@ import ( etcd "github.com/coreos/etcd/clientv3" "golang.org/x/net/context" + authorizationapi "k8s.io/api/authorization/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -13,7 +14,6 @@ import ( "k8s.io/apiserver/pkg/storage/etcd/etcdtest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" imagev1 "github.com/openshift/api/image/v1" imageapi "github.com/openshift/origin/pkg/image/apis/image" diff --git a/pkg/image/apiserver/registry/imagestreamimport/rest.go b/pkg/image/apiserver/registry/imagestreamimport/rest.go index 0276114f53f2..eee6d573e007 100644 --- a/pkg/image/apiserver/registry/imagestreamimport/rest.go +++ b/pkg/image/apiserver/registry/imagestreamimport/rest.go @@ -10,6 +10,7 @@ import ( "github.com/golang/glog" gocontext "golang.org/x/net/context" + authorizationapi "k8s.io/api/authorization/v1" corev1 "k8s.io/api/core/v1" kapierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -18,11 +19,10 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" "github.com/openshift/api/image" imageapiv1 "github.com/openshift/api/image/v1" diff --git a/pkg/image/apiserver/registry/imagestreammapping/rest_test.go b/pkg/image/apiserver/registry/imagestreammapping/rest_test.go index 9d03bb82cb9a..86c4e6eb9381 100644 --- a/pkg/image/apiserver/registry/imagestreammapping/rest_test.go +++ b/pkg/image/apiserver/registry/imagestreammapping/rest_test.go @@ -11,6 +11,7 @@ import ( etcd "github.com/coreos/etcd/clientv3" "k8s.io/apiserver/pkg/registry/rest" + authorizationapi "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/api/errors" metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -22,7 +23,6 @@ import ( "k8s.io/apiserver/pkg/storage/etcd/etcdtest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" imagegroup "github.com/openshift/api/image" diff --git a/pkg/image/apiserver/registry/imagestreamtag/rest_test.go b/pkg/image/apiserver/registry/imagestreamtag/rest_test.go index 03f27d164edf..650ecd2104e3 100644 --- a/pkg/image/apiserver/registry/imagestreamtag/rest_test.go +++ b/pkg/image/apiserver/registry/imagestreamtag/rest_test.go @@ -9,6 +9,7 @@ import ( "golang.org/x/net/context" "k8s.io/apiserver/pkg/registry/rest" + authorizationapi "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -18,7 +19,6 @@ import ( "k8s.io/apiserver/pkg/storage/etcd/etcdtest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" imagev1 "github.com/openshift/api/image/v1" diff --git a/pkg/project/apiserver/apiserver.go b/pkg/project/apiserver/apiserver.go index 6d1b3b5338c8..ba2f29e0767d 100644 --- a/pkg/project/apiserver/apiserver.go +++ b/pkg/project/apiserver/apiserver.go @@ -12,9 +12,9 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" restclient "k8s.io/client-go/rest" kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" projectapiv1 "github.com/openshift/api/project/v1" diff --git a/pkg/project/apiserver/registry/projectrequest/delegated/delegated.go b/pkg/project/apiserver/registry/projectrequest/delegated/delegated.go index e028d91e193b..d7228bc546b1 100644 --- a/pkg/project/apiserver/registry/projectrequest/delegated/delegated.go +++ b/pkg/project/apiserver/registry/projectrequest/delegated/delegated.go @@ -8,6 +8,7 @@ import ( "time" "github.com/golang/glog" + authorizationapi "k8s.io/api/authorization/v1" kapierror "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" @@ -21,11 +22,10 @@ import ( apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" "k8s.io/client-go/dynamic" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/client-go/util/retry" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" "k8s.io/kubernetes/pkg/apis/rbac" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion" "github.com/openshift/api/project" diff --git a/pkg/route/apiserver/apiserver.go b/pkg/route/apiserver/apiserver.go index 142080673940..3b3dfff186c2 100644 --- a/pkg/route/apiserver/apiserver.go +++ b/pkg/route/apiserver/apiserver.go @@ -9,12 +9,12 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" restclient "k8s.io/client-go/rest" routeapiv1 "github.com/openshift/api/route/v1" routeetcd "github.com/openshift/origin/pkg/route/apiserver/registry/route/etcd" routeallocationcontroller "github.com/openshift/origin/pkg/route/controller/allocation" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" ) type ExtraConfig struct { diff --git a/pkg/route/apiserver/registry/route/strategy.go b/pkg/route/apiserver/registry/route/strategy.go index e463c830f290..781ecbb8e3d2 100644 --- a/pkg/route/apiserver/registry/route/strategy.go +++ b/pkg/route/apiserver/registry/route/strategy.go @@ -4,14 +4,14 @@ import ( "context" "fmt" + authorizationapi "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/validation/field" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/storage/names" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kvalidation "k8s.io/kubernetes/pkg/apis/core/validation" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" authorizationutil "github.com/openshift/origin/pkg/authorization/util" "github.com/openshift/origin/pkg/route" diff --git a/pkg/route/apiserver/registry/route/strategy_test.go b/pkg/route/apiserver/registry/route/strategy_test.go index d4764a926cce..866b702a82ad 100644 --- a/pkg/route/apiserver/registry/route/strategy_test.go +++ b/pkg/route/apiserver/registry/route/strategy_test.go @@ -4,12 +4,12 @@ import ( "reflect" "testing" + authorizationapi "k8s.io/api/authorization/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/authentication/user" apirequest "k8s.io/apiserver/pkg/endpoints/request" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" routeapi "github.com/openshift/origin/pkg/route/apis/route" ) diff --git a/pkg/template/apiserver/apiserver.go b/pkg/template/apiserver/apiserver.go index 4a05427c74aa..736017448154 100644 --- a/pkg/template/apiserver/apiserver.go +++ b/pkg/template/apiserver/apiserver.go @@ -8,8 +8,8 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" restclient "k8s.io/client-go/rest" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" templateapiv1 "github.com/openshift/api/template/v1" brokertemplateinstanceetcd "github.com/openshift/origin/pkg/template/apiserver/registry/brokertemplateinstance/etcd" diff --git a/pkg/template/apiserver/registry/templateinstance/etcd/etcd.go b/pkg/template/apiserver/registry/templateinstance/etcd/etcd.go index e9afa24dbd04..9930727dd585 100644 --- a/pkg/template/apiserver/registry/templateinstance/etcd/etcd.go +++ b/pkg/template/apiserver/registry/templateinstance/etcd/etcd.go @@ -8,7 +8,7 @@ import ( "k8s.io/apiserver/pkg/registry/generic" "k8s.io/apiserver/pkg/registry/generic/registry" "k8s.io/apiserver/pkg/registry/rest" - authorizationinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/printers" printerstorage "k8s.io/kubernetes/pkg/printers/storage" @@ -27,7 +27,7 @@ type REST struct { var _ rest.StandardStorage = &REST{} // NewREST returns a RESTStorage object that will work against templateinstances. -func NewREST(optsGetter restoptions.Getter, authorizationClient authorizationinternalversion.AuthorizationInterface) (*REST, *StatusREST, error) { +func NewREST(optsGetter restoptions.Getter, authorizationClient authorizationclient.AuthorizationV1Interface) (*REST, *StatusREST, error) { strategy := templateinstance.NewStrategy(authorizationClient) store := ®istry.Store{ diff --git a/pkg/template/apiserver/registry/templateinstance/strategy.go b/pkg/template/apiserver/registry/templateinstance/strategy.go index afa998ada0ff..cea497f8af0a 100644 --- a/pkg/template/apiserver/registry/templateinstance/strategy.go +++ b/pkg/template/apiserver/registry/templateinstance/strategy.go @@ -4,6 +4,7 @@ import ( "context" "errors" + authorizationv1 "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" kutilerrors "k8s.io/apimachinery/pkg/util/errors" @@ -11,10 +12,9 @@ import ( "k8s.io/apiserver/pkg/authentication/user" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/storage/names" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/api/legacyscheme" - "k8s.io/kubernetes/pkg/apis/authorization" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" - authorizationinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" "github.com/openshift/origin/pkg/authorization/util" @@ -26,10 +26,10 @@ import ( type templateInstanceStrategy struct { runtime.ObjectTyper names.NameGenerator - authorizationClient authorizationinternalversion.AuthorizationInterface + authorizationClient authorizationclient.AuthorizationV1Interface } -func NewStrategy(authorizationClient authorizationinternalversion.AuthorizationInterface) *templateInstanceStrategy { +func NewStrategy(authorizationClient authorizationclient.AuthorizationV1Interface) *templateInstanceStrategy { return &templateInstanceStrategy{legacyscheme.Scheme, names.SimpleNameGenerator, authorizationClient} } @@ -146,7 +146,7 @@ func (s *templateInstanceStrategy) validateImpersonation(templateInstance *templ } if templateInstance.Spec.Requester.Username != userinfo.GetName() { - if err := util.Authorize(s.authorizationClient.SubjectAccessReviews(), userinfo, &authorization.ResourceAttributes{ + if err := util.Authorize(s.authorizationClient.SubjectAccessReviews(), userinfo, &authorizationv1.ResourceAttributes{ Namespace: templateInstance.Namespace, Verb: "assign", Group: templateapi.GroupName, diff --git a/pkg/template/controller/templateinstance_controller.go b/pkg/template/controller/templateinstance_controller.go index 02a545be65eb..8d47728c2293 100644 --- a/pkg/template/controller/templateinstance_controller.go +++ b/pkg/template/controller/templateinstance_controller.go @@ -6,6 +6,7 @@ import ( "strings" "time" + authorizationv1 "k8s.io/api/authorization/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" @@ -16,9 +17,9 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/client-go/dynamic" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/workqueue" - "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" "k8s.io/utils/clock" @@ -55,7 +56,8 @@ type TemplateInstanceController struct { // status of the last build. buildClient buildclient.Interface - kc kclientsetinternal.Interface + sarClient authorizationclient.SubjectAccessReviewsGetter + kc kclientsetinternal.Interface lister templatelister.TemplateInstanceLister informer cache.SharedIndexInformer @@ -68,10 +70,11 @@ type TemplateInstanceController struct { } // NewTemplateInstanceController returns a new TemplateInstanceController. -func NewTemplateInstanceController(dynamicRestMapper meta.RESTMapper, dynamicClient dynamic.Interface, kc kclientsetinternal.Interface, buildClient buildclient.Interface, templateClient templateclient.Interface, informer internalversion.TemplateInstanceInformer) *TemplateInstanceController { +func NewTemplateInstanceController(dynamicRestMapper meta.RESTMapper, dynamicClient dynamic.Interface, sarClient authorizationclient.SubjectAccessReviewsGetter, kc kclientsetinternal.Interface, buildClient buildclient.Interface, templateClient templateclient.Interface, informer internalversion.TemplateInstanceInformer) *TemplateInstanceController { c := &TemplateInstanceController{ dynamicRestMapper: dynamicRestMapper, dynamicClient: dynamicClient, + sarClient: sarClient, kc: kc, templateClient: templateClient, buildClient: buildClient, @@ -215,7 +218,7 @@ func (c *TemplateInstanceController) checkReadiness(templateInstance *templateap return false, err } - if err = util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ + if err = util.Authorize(c.sarClient.SubjectAccessReviews(), u, &authorizationv1.ResourceAttributes{ Namespace: object.Ref.Namespace, Verb: "get", Group: mapping.Resource.Group, @@ -345,7 +348,7 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T var secret *kapi.Secret if templateInstance.Spec.Secret != nil { - if err := util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ + if err := util.Authorize(c.sarClient.SubjectAccessReviews(), u, &authorizationv1.ResourceAttributes{ Namespace: templateInstance.Namespace, Verb: "get", Group: kapi.GroupName, @@ -374,7 +377,7 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T } } - if err := util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ + if err := util.Authorize(c.sarClient.SubjectAccessReviews(), u, &authorizationv1.ResourceAttributes{ Namespace: templateInstance.Namespace, Verb: "create", Group: templateapi.GroupName, @@ -424,7 +427,7 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T continue } - if err := util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ + if err := util.Authorize(c.sarClient.SubjectAccessReviews(), u, &authorizationv1.ResourceAttributes{ Namespace: namespace, Verb: "create", Group: restMapping.Resource.Group, diff --git a/pkg/template/controller/templateinstance_controller_test.go b/pkg/template/controller/templateinstance_controller_test.go index 15ba26ee9422..fb3c8a060203 100644 --- a/pkg/template/controller/templateinstance_controller_test.go +++ b/pkg/template/controller/templateinstance_controller_test.go @@ -8,15 +8,16 @@ import ( "testing" "time" + authorizationv1 "k8s.io/api/authorization/v1" batchv1 "k8s.io/api/batch/v1" "k8s.io/apimachinery/pkg/api/meta/testrestmapper" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/client-go/dynamic" + clientgofake "k8s.io/client-go/kubernetes/fake" "k8s.io/client-go/rest" clientgotesting "k8s.io/client-go/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake" "k8s.io/utils/clock" @@ -80,14 +81,16 @@ func TestControllerCheckReadiness(t *testing.T) { // fakeclient, respond "allowed" to any subjectaccessreview fakeclientset := &fake.Clientset{} + sarClient := clientgofake.NewSimpleClientset() c := &TemplateInstanceController{ dynamicRestMapper: testrestmapper.TestOnlyStaticRESTMapper(legacyscheme.Scheme, legacyscheme.Scheme.PrioritizedVersionsAllGroups()...), + sarClient: sarClient.AuthorizationV1(), kc: fakeclientset, clock: clock, dynamicClient: client, } - fakeclientset.AddReactor("create", "subjectaccessreviews", func(action clientgotesting.Action) (handled bool, ret runtime.Object, err error) { - return true, &authorization.SubjectAccessReview{Status: authorization.SubjectAccessReviewStatus{Allowed: true}}, nil + sarClient.PrependReactor("create", "subjectaccessreviews", func(action clientgotesting.Action) (handled bool, ret runtime.Object, err error) { + return true, &authorizationv1.SubjectAccessReview{Status: authorizationv1.SubjectAccessReviewStatus{Allowed: true}}, nil }) templateInstance := &templateapi.TemplateInstance{